Hello! On Thu, Oct 30, 2014 at 03:05:18PM +0100, Richard Fussenegger wrote:
> The rationale may make sense depending on the priorities, but shouldn't the > default configuration target generic applications? Generic applications > don't need compatibility with ancient software (only IE6 on XP actually > /needs/ SSLv3, don't know about libraries though). That's excatly the point: the default is for generic case, and in general there is nothing wrong with supporting SSLv3 as long as nothing better is available. And there are various clients which don't support anything better, including IE6 on XP. The bad thing with POODLE is actually that due to fallback code in browsers it used to affect modern browsers. This problem goes away gradually. > Administrators who need the support can still enable it and make use of > SCSV. And don't forget that 'modern browser' applies to IE up to 11, FF up > to 34, Chrome up to ? (couldn't find the exact version) of which actually > not a single one has SCSV support and they won't get it! Providing As of now, the problem doesn't affect at least: - latest versions of Chrome (TLS_FALLBACK_SCSV); - latest versions of Opera (TLS_FALLBACK_SCSV, anti-POODLE record splitting); - latest versions of Safari (no block ciphers over SSLv3); - latest (upcoming?) versions of Firefox (disabled fallback to SSLv3); - upcoming versions of IE (announced plans to disable fallback to SSLv3). This basically covers all modern browsers (or at least almost all). Talking about not updated versions from security point of view is mostly pointless, as there are multiple security problems fixed on a regular basis, and not updated means not secure. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
